安全研究

安全漏洞
CVS多次Entry已被修改或未被修改标记插入操作堆溢出漏洞

发布日期:2004-05-19
更新日期:2004-05-24

受影响系统:
CVS CVS 1.12.7
CVS CVS 1.12.2
CVS CVS 1.12.1
CVS CVS 1.11.6
CVS CVS 1.11.5
CVS CVS 1.11.4
CVS CVS 1.11.3
CVS CVS 1.11.2
CVS CVS 1.11.15
CVS CVS 1.11.14
CVS CVS 1.11.11
CVS CVS 1.11.10
CVS CVS 1.11
CVS CVS 1.10.8
CVS CVS 1.10.7
CVS CVS 1.11.1p1
    - Conectiva Linux 8.0
    - Conectiva Linux 7.0
    - Debian Linux 3.0
    - FreeBSD 4.7
    - FreeBSD 4.6.1
    - FreeBSD 4.6
    - FreeBSD 4.5
    - OpenBSD 3.4
    - OpenBSD 3.3
    - OpenBSD 3.2
    - OpenBSD 3.1
    - RedHat Linux 7.3
    - RedHat Linux 7.2
    - RedHat Linux 7.1
    - RedHat Linux 7.0
    - RedHat Linux 6.2
    - SuSE Linux 8.1
    - SuSE Linux 8.0
不受影响系统:
CVS CVS 1.12.8
CVS CVS 1.11.16
描述:
BUGTRAQ  ID: 10384
CVE(CAN) ID: CVE-2004-0396

Concurrent Versions System (CVS)是一款使用极为广泛的开放源代码的版本控制软件。

CVS服务器在处理用户提交的给Entry数据打上已被修改或未被修改标记的Is-modified和Unchanged命令时存在问题,远程攻击者可以利用这个漏洞对CVS服务程序进行基于堆的溢出攻击,精心构建提交数据可能以进程权限在系统上执行任意指令。

当客户端发送一条Entry行给服务器,会额外增加字节来标记Entry是否为已被修改的或未被修改的。CVS服务器在处理标记粘附的操作逻辑上存在问题,导致允许插入任意多个'M'字符到用于存放Entry数据的堆缓冲区中。利用malloc() off-by-one利用技术可以触发缓冲区溢出,可能以CVS进程权限在系统上执行任意指令。

<*来源:Stefan Esser (s.esser@ematters.de
  
  链接:http://security.e-matters.de/advisories/072004.html?SID=384b888de96e3bce19306db8577fca26
        http://www.linux-mandrake.com/en/security/2004/2004-048.php
                http://www.debian.org/security/2004/dsa-505
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc
*>

建议:
厂商补丁:

CVS
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

CVS Upgrade cvs-1.11.16.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&dlID=489

CVS Upgrade cvs-1.12.8.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&dlID=491

Debian
------
Debian已经为此发布了一个安全公告(DSA-505-1)以及相应补丁:
DSA-505-1:New cvs packages fix remote exploit
链接:http://www.debian.org/security/2002/dsa-505

补丁下载:

Source archives:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.dsc
Size/MD5 checksum:      693 c4580daf3d02e68bf271c3fc2fa9fe8c
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4.diff.gz
Size/MD5 checksum:    52212 a44f53ccf950679f3257a2f3487220b7
http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian.orig.tar.gz
Size/MD5 checksum:  2621658 500965ab9702b31605f8c58aa21a6205

Alpha architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_alpha.deb
Size/MD5 checksum:  1178736 503ab302999d5fec9c4cb41f735bc2ab

ARM architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_arm.deb
Size/MD5 checksum:  1105276 8b2536e975a3272b5d10590bd768b6c7

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_i386.deb
Size/MD5 checksum:  1085994 195aa822dbd450bbb3321f17442b3644

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_ia64.deb
Size/MD5 checksum:  1270986 2adee3e24f61234e0c597c55983257df

HP Precision architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_hppa.deb
Size/MD5 checksum:  1147338 e1a7eec47c9f6ca11d342c7a680abd93

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_m68k.deb
Size/MD5 checksum:  1065866 5238933fe0b1d9a9e7e2506cc39d8411

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mips.deb
Size/MD5 checksum:  1129740 c6e9a932c2bdabbfee51c792d813a439

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_mipsel.deb
Size/MD5 checksum:  1131106 05424d6056d0c9123c88b7e7f6b27f7d

PowerPC architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_powerpc.deb
Size/MD5 checksum:  1116184 1fe49f6356a160087cf669f7afc12700

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_s390.deb
Size/MD5 checksum:  1097006 6e98ead7e926fc07203cf43e84b1152d

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/c/cvs/cvs_1.11.1p1debian-9woody4_sparc.deb
Size/MD5 checksum:  1107284 47f8dad7b309c9c19542bf1fc9502f77

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-04:10)以及相应补丁:
FreeBSD-SA-04:10:CVS pserver protocol parser errors
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:10.cvs.asc

补丁下载:

执行以下步骤之一:

1) 将有漏洞的系统升级到4-STABLE,或修订日期后的_5_2,RELENG_4_9或RELENG_4_8
安全版本。

2) 为当前系统打补丁:

已验证下列补丁可应用于FreeBSD 4.7, 4.8, 4.9, 4.10, 5.0, 5.1和5.2系统。

a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名。

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.patch.asc

b) 以root执行以下命令:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/cvs
# make obj && make depend && make && make install

VI. 更新细节

下面列出了已修正的FreeBSD版本中每个被修改文件的

MandrakeSoft
------------
http://www.debian.org/security/2004/dsa-505

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2004:013)以及相应补丁:
SuSE-SA:2004:013:cvs
链接:

补丁下载:

CVS CVS 1.11.1 p1:

SuSE Upgrade cvs-1.11.1p1-329.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-329.i586.rpm

SuSE Upgrade cvs-1.11.1p1-329.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cvs-1.11.1p1-329.i586.patch.rpm

SuSE Upgrade cvs-1.11.1p1-329.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-329.i386.rpm

SuSE Upgrade cvs-1.11.1p1-329.i386.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/cvs-1.11.1p1-329.i386.patch.rpm

CVS CVS 1.11.5:

SuSE Upgrade cvs-1.11.5-112.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-112.i586.rpm

SuSE Upgrade cvs-1.11.5-112.i586.patch.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cvs-1.11.5-112.i586.patch.rpm

CVS Upgrade cvs-1.11.16.tar.gz
http://ccvs.cvshome.org/servlets/ProjectDownloadList?action=download&dlID=489

CVS CVS 1.11.6:

SuSE Upgrade cvs-1.11.6-81.i586.rpm
fftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-81.i586.rpm

SuSE Upgrade cvs-1.11.6-81.i586.patch.rpm
fftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cvs-1.11.6-81.i586.patch.rpm

SuSE Upgrade cvs-1.11.6-81.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-81.x86_64.rpm

SuSE Upgrade cvs-1.11.6-81.x86_64.patch.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/cvs-1.11.6-81.x86_64.patch.rpm

浏览次数:5060
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障